Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Domain group policy - Run as Admin


  • Please log in to reply
6 replies to this topic

#1 jennyjech

jennyjech

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 04 September 2014 - 05:48 PM

Bleeping computer geeks, I would like to ask about domain group policy, what I want to know is. Can I or Is there a group policy where I can automatically "Run as Admin" an application and not ask for my Administrator credentials? 

 

Because we have an application on our domain network that needs elevated account to run.

 

I'm using windows server 2012 r2

 

Thank you and hope to hear from you guys. 

 

 



BC AdBot (Login to Remove)

 


#2 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:51 AM

Posted 04 September 2014 - 06:55 PM

One way I can think of doing it... create a batch to enable local admin account if not already enabled. (don't forget to create a password) then run it on workstations. Then create an admin enabled shortcut by adding this to target.

runas /user:ComputerName\Administrator /savecred “C:\Path\To\Program.exe“

Then just copy the shortcuts to the required desktops... the first time you run it you'd have to enter the password manually though.

 

Even though this could be a pain if you have a lot of machines I'd go this way to avoid saving a domain admin password on any workstation...

 

TsVk!

 

:busy:



#3 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:51 AM

Posted 04 September 2014 - 07:06 PM

There is also the issue that if you have tech savvy people on board they might exploit runas /savecred to run any program they want as admin afterwards... must users wouldn't realize you have opened this hole though.



#4 jennyjech

jennyjech
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:51 AM

Posted 04 September 2014 - 07:10 PM

One way I can think of doing it... create a batch to enable local admin account if not already enabled. (don't forget to create a password) then run it on workstations. Then create an admin enabled shortcut by adding this to target.

runas /user:ComputerName\Administrator /savecred “C:\Path\To\Program.exe“

Then just copy the shortcuts to the required desktops... the first time you run it you'd have to enter the password manually though.

 

Even though this could be a pain if you have a lot of machines I'd go this way to avoid saving a domain admin password on any workstation...

 

TsVk!

 

:busy:

 

Thank you TsVk! ill try that.

 

 

There is also the issue that if you have tech savvy people on board they might exploit runas /savecred to run any program they want as admin afterwards... must users wouldn't realize you have opened this hole though.

 

I can just hope that they won't know it. thank you.



#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:51 AM

Posted 04 September 2014 - 07:37 PM

You're welcome. :thumbup2:



#6 sflatechguy

sflatechguy

  • BC Advisor
  • 2,233 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:51 AM

Posted 04 September 2014 - 08:44 PM

Unfortunately, group policy isn't, by default, configured to allow that. However, this is an application you can install on servers and clients that will create special group policies that will give you the option of allow users to run allowed applications with admin privileges.

http://redmondmag.com/articles/2011/09/01/scriptlogic-privilege-authority-boosts-user-productivity.aspx



#7 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,234 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:01:51 AM

Posted 04 September 2014 - 09:05 PM

runas /savecred It works fine on my domain, which is highly restricted for most users. I just tested it.

 

Thanks for the link though sflatechguy... Sadly it has been purchased by Dell and integrated into their server management products.






1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users